Nmap Development mailing list archives
Re: POODLE vulnerability in TLS not just SSL
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 9 Dec 2014 10:53:18 -0600
Copy-pasting from my comment on Reddit: [ssl-poodle only tests] for the known-bad condition of SSLv3 with CBC cipher support. The article is saying that even TLSv1.0 and higher can be vulnerable if the implementation is not strict enough. I considered how to write an Nmap script for this new condition, but there's not really a good way to do it, since it has to modify the way that data is sent post-handshake (by using random padding instead of PKCS #7 padding), which OpenSSL doesn't let you do. The only alternative I can see at the moment is implementing a full TLS client in Lua, or at least most of one and binding the core crypto stuff to OpenSSL. Dan On Tue, Dec 9, 2014 at 9:46 AM, Jasey DePriest <jrdepriest () gmail com> wrote:
With the revelation that the POODLE attack can be used against some implementations of TLS, will the ssl-poodle script be updated to detect vulnerable systems? Qualys SSLLabs already checks for it as POODLE (TLS). References: http://arstechnica.com/security/2014/12/meaner-poodle-bug-that-bypasses-tls-crypto-bites-10-percent-of-websites/ https://isc.sans.edu/forums/diary/POODLE+Strikes+Bites+Again/ https://www.imperialviolet.org/2014/12/08/poodleagain.html https://www.ietf.org/mail-archive/web/tls/current/msg14058.html https://www.ietf.org/mail-archive/web/tls/current/msg14072.html --- Thanks! Jasey DePriest _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- POODLE vulnerability in TLS not just SSL Jasey DePriest (Dec 09)
- Re: POODLE vulnerability in TLS not just SSL Daniel Miller (Dec 09)
- Re: POODLE vulnerability in TLS not just SSL Mariusz Ziulek (Dec 21)
- Re: POODLE vulnerability in TLS not just SSL Daniel Miller (Dec 09)